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SPECmCATION 

METHOD AND APPARATUS OF COMMUNICATING 
SECURITY/ENCRYPTION INFORMATION TO A PHYSICAL 
LAYER TRANSCEIVER 

BACKGROUND 

Field of the Disclosure 

[0001] The disclosure relates generally to link layer data communications. 

The Prior Art 

Background 

[0002] Physical Layer Transceivers ("PHY" or "PHYs") are known in the 
art for transmitting and receiving data through various media, such as copper and 
fiber optic cables. 

[0003] In a receive mode, the PHY functions as a device that receives data 
from the medium and decodes the data into a form appropriate for the receiving 
device. In a transmit mode, the PHY takes data from the device, typically from the 
Media Access Controller ("MAC"), and converts the data into a form appropriate 
for the medium in use. 
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[0004] FIG. 1 is a functional block diagram of a typical prior art PHY 100. 
The PHY 100 is typically configured to interface between the MAC 1 10 of the 
host device and the medium 120. 

[0005] The PHY 100 typically includes analog circuitry 130 configured for 
receiving data from the medium 120 and decoding the data into a form 
appropriate for the host device using techniques known in the art. The PHY 100 
further includes digital circuitry 140 configured for receiving data from the MAC 
1 10 and converting the data into a form appropriate for the medium 120. 

[0006] The PHY 100 further includes memory and control circuitry 150 
configured to control the operation of the PHY, and in particular the digital 
circuitry 140. The memory and control circuitry 150 will typically include 
circuitry to interface with the MAC 110 through a bus interface 160, such as a 
Medium Independent Interface ("Mil"), or a Gigabit Medium Independent 
Interface ("GMIF'). 

BRIEF DESCRIPTION OF THE DRAWING HGURES 
[0007] Figure 1 is a conceptual block diagram of a prior art PHY. 

[0008] Figure 2 is a conceptual block diagram of a data transmission 
system. 

[0009] Figure 3 is a conceptual block diagram of a PHY. 
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[0010] Figure 4 is a flowchart of a method for providing link layer security. 

[0011] Figure 5 is a flowchart of a method for managing packet collisions 
using a crypto engine. 

[0012] FIGS 6a-6e are conceptual block diagrams showing various 
embodiments of providing communication between a PHY and associated 
security logic. 

DETAILED DESCRIPTION 
[0013] Persons of ordinary skill in the art will realize that the following 
description is illustrative only and not in any way limiting. Other modifications 
and improvements will readily suggest themselves to such skilled persons having 
the benefit of this disclosure. In the following description, like reference numerals 
refer to like elements throughout. 

[0014] This disclosure may relate to data communications. Various 
disclosed aspects may be embodied in various computer and machine readable 
data structures. Furthermore, it is contemplated that data structures embodying 
the teachings of the disclosure may be transmitted across computer and machine 
readable media, and through communications systems by use of standard 
protocols such as those used to enable the Internet and other computer 
networking standards. 
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[0015] The disclosure may relate to machine readable media on which are 
stored various aspects of the disclosure. It is contemplated that any media suitable 
for retrieving instructions is within the scope of the present disclosure. By way of 
example, such media may take the form of magnetic, optical, or semiconductor 
media, and may be configured to be accessible by a machine as is known in the 
art. 

[0016] Various aspects of the disclosure may be described through the use 
of flowcharts. Often, a single instance of an aspect of the present disclosure may 
be shown. As is appreciated by those of ordinary skill in the art, however, the 
protocols, processes, and procedures described herein may be repeated 
continuously or as often as necessary to satisfy the needs described herein. 
Accordingly, the representation of various aspects of the present disclosure 
through the use of flowcharts should not be used to limit the scope of the present 
disclosure. 

[0017] This disclosure provides security at the link layer of a system. In 
this regard, the link layer may be defined in accordance with the OSI reference 
standard. In particular, the I.E.E.E. 802,3 standard defines the link layer as 
devices residing between the MAC and medium, and is so defined herein. 

[0018] In this disclosure, link layer security is provided in a transmission 
mode by encrypting data for confidentiality, authenticating data for integrity, or 
both as it is received from the MAC and prior being transmitted from the PHY. 
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Conversely, in a receive mode, data is decrypted, authenticated, or both as it is 
received by the PHY, prior to presentation to the MAC. 

[0019] Figure 2 is a diagram of a link layer data transmission system 205 
configured in accordance with the teachings of this disclosure. The system 205 
includes a transmitting device 200 coupled to a receiving device 260 through a 
medium 240. 

[0020] The transmitting device 200 includes an ASIC configured to 
function as a MAC using techniques known in the art, and a PHY 230, such as 
that described in FIG. 1. 

[0021] Coupled between the MAC 210 and the PHY 230 is a crypto 
device 220. The crypto device 220 is preferably configured to 
encrypt/authenticate the data packet 250 using DBS, 3DES, MD5, SHAl, RC4, or 
AES, or other similar protocols. 

[0022] In this example, the data packet is received by the crypto device 
220 from the MAC 210, and encrypted/authenticated prior to being provided to 
the PHY 230 and transmitted onto medium 240. 

[0023] The system 205 also includes a receiving device 260 that is 
configured similar to the transmitting device 200, including a MAC 270, a crypto 
device 280, and a PHY 290. 
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[0024] In the receiving device, the ciphered data packet 250 is received by 
the PHY 290 and provided to the crypto engine 280, where the data is 
decrypted/authenticated and provided to the MAC 270, 

[0025] Of course, the operation disclosed in FIG. 2 may operate in the 
reverse path. 

[0026] FIG. 3 is a conceptual block diagram of a further embodiment of a 
PHY configured in accordance with the teachings of this disclosure. 

[0027] The embodiment of FIG. 3 provides that the crypto device is 
deployed on the same chip as the PHY, providing a single-chip link layer security 
solution. 

[0028] The device 300 includes a MAC 310 and a PHY 305. The PHY 305 
includes analog circuitry 330 configured in a receive mode for receiving data 
from the medium 350 and decoding the data into a form appropriate for the host 
device using techniques known in the art. In a transmit mode, the analog 
circuitry is configured to receive data from the MAC 310, and convert it into a 
form appropriate for the medium 350. 

[0029] The PHY 305 further includes digital circuitry 320 configured for 
receiving data from the MAC 310 and converting the data into a form appropriate 
for the medium 350 in a transmit mode, and for receiving data from the analog 
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circuitry 330 and converting it into a format appropriate for the MAC 310 in a 
receive mode. 

[0030] The PHY 305 further includes memory and control circuitry 325 
configured to control the operation of the PHY, and in particular the digital 
circuitry 320. The memory and control circuitry 325 will typically include 
circuitry to interface with the MAC 310 through a bus interface 360, such as a 
MIX or a GMH or XGMH or X AUI or S GMH or RGMH. 

[0031] The PHY 305 also includes a crypto module 340 coupled to the 
digital circuitry 320. The crypto module may include control and memory 
circuitry 345 for operation of the cryptographic functions. The crypto module 
340 is preferably configured to encrypt/authenticate data received from the MAC 
310 prior to presentation to the analog circuitry 330, and decrypt/authenticate 
data received from the analog circuitry 330 prior to presentation to the MAC 310. 
The crypto module may employ the cryptographic techniques disclosed above. 

[0032] In a further embodiment, the crypto device 340 may be deployed 
using existing hardware already present in the PHY. It will be appreciated that 
by reusing existing hardware already present on the PHY to enable crypto 
features, significant real estate savings in the device may result. 

[0033] It is contemplated that a wide array of PHY components may be 
reused when implementing the disclosed cryptographic features. For example, 
the crypto device may reuse the PHY's pin or interface layout, memory map, 
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various elements of the state machine, logic gates, or even one or more of the 
above. Likewise, devices exist that contain multiple PHYs, such as an Octal PHY 
that contain 8 PHY interfaces. In these devices the reuse of pins and other 
elements that already exist in the PHY can reduce die and package size, thus 
making the devices less expensive to manufacture. 

[0034] Similarly some chips incorporate the MAC as a portion of the PHY 
chip. In this case it may be possible to take advantage of elements from both the 
MAC and the PHY, 

[0035] It is also contemplated that the additional functionality provided by 
the crypto device may be utilized for other functions or features. For example, 
the crypto device may be configured to perform data compression. 

[0036] For example, in one embodiment, the device 300 of FIG. 3 may 

comprise a router in which the MAC 310 comprises an ASIC configured to also 
function as a switching fabric. In this case, there many be many PHYs present in 
the device, and by cross-utilizing the pre-existing structure of the PHY, additional 
security features may be added without additional chips. 

[0037] In a further disclosed embodiment, the crypto device may be 
employed to improve the overall performance and reliability of a data transmission 
system. 
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[0038] As is appreciated by those of ordinary skill in the art, many such 
devices operate using a half duplex mode, where a common performance issue is 
the collision of data packets. 

[0039] It is contemplated that the additional functionality provided by the 
encryption device may improve collision management. 

[0040] In this embodiment, the encryption memory 345 may be employed 
to temporarily store the data and associated security information as the packet is 
transmitted. If a collision is detected, the stored information may be immediately 
reused and resent, without the need for the processor or MAC to resend the data, 
or to send new security information such as a security association. 

[0041] As will be appreciated by those having the benefit of this disclosure, 
this benefit may save processor cycle time, and may also improve performance by 
offloading some processing time from ASIC to the PHY. 

[0042] It is contemplated that the crypto device may take advantage of 
certain areas of memory on the PHY. If the PHY complies with certain industry 
standards, such as I.E.E.E. 802.3, PHYs are provided with certain registers of 
memory that are reserved for specific purposes, known as the Mil Management 
Interface. For example, registers 11-14 are reserved, and registers 16-31 are 
vendor-specific areas. 
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[0043] It is contemplated that security association database (SAD) used in 
the present disclosure may be directed to be written to certain areas in a 
predetermined order. For example, one bit in register 1 1 could be used to turn the 
crypto function on or off. Likewise, the crypto may need data, such as a key or 
security association, to perform a crypto function. This data could be accessed 
through register 12. This takes advantage of memory management techniques and 
structure already present. Of course, other registers may be used. 

[0044] Another benefit of this disclosure may be realized as reduced traffic, 
as the PHY could be programmed to drop or "trash" received traffic that does 
not pass the decryption module. In this example, data that does not properly 
decrypt is flagged to be dropped by a subsequent module prior to being switched 
by the switching fabric, saving bandwidth in the switching fabric for other 
important functions. This could reduce the risk of an unauthorized user from 
bringing down a network or networked device due to denial of service attacks, 
thereby enhancing the reliability of the network. Alternatively, the security logic 
may interrupt the processor for further action. 

[0045] Figure 4 is a flowchart of a method of encrypting/authenticating 
data at the link layer of a data transmission system. In act 400, the PHYs wishing 
to communicate may auto-negotiate a link using techniques known in the art. It 
is to be understood that the encryption/authentication techniques disclosed 
herein may also be applied prior to auto-negotiation of a link. 
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[0046] In act 410, the MAC of the transmitting PHY ("TX PHY") provides 
the data to be transmitted to the crypto engine. In act 420, the data is ciphered 
by the crypto engine and placed on the medium linking the PHYs by the IX 
PHY. 

[0047] In act 430, the receiving PHY ("RCV PHY") receives the cipher 
data from the link and presents the data to the RCV PHY's crypto engine, where 
the data is decrypted, authenticated, or both. 

[0048] In act 440, the plain data is then passed to the MAC of the RCV 
PHY. 

[0049] FIG. 5 is a flowchart of a method for managing packet collisions 
using a crypto engine. 

[0050] In act 500, the MAC of the TX PHY provides the data to be 
transmitted to the crypto engine. In act 520, the data is encrypted, authenticated 
or both by the crypto engine and placed on the medium linking the PHYs by the 
TX PHY. As mention above, the PHYs wishing to communicate may auto- 
negotiate a link using techniques known in the art, but the data may also be 
encrypted prior to auto-negotiation of a link. At this point, the 
encrypted/authenticated data is stored by the encryption engine. 

[0051] In query 530, the PHY determines whether a packet collision has 
occurred. If a collision has occurred, the stored packet is re-transmitted by the TX 
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PHY. If no collision occurs, the communication process proceeds as normal and 
any data stored could be flushed or used space reclaimed. 

[0052] FIGS 6a-6e are conceptual block diagrams showing various 
embodiments of providing communication between a PHY and associated 
security logic. 

[0053] Referring generally to FIGS. 6a-6e, the device 600 includes a PHY 
605 and crypto device security logic 620. It is to be understood that the 
disclosed embodiments may be implemented with the PHY and security logic 
deployed as either a one- or multiple-chip solution. 

[0054] The PHY 605 and security logic 620 each include a 
communications module 610 and 625, respectively, configured to interface 
through a link 630. MAC data is presented to the PHY 605 through interface 
640, and data signals are transmitted and received on the link medium 650. 

[0055] In the embodiments disclosed herein, it is contemplated that any 
interface may be employed to communicate with the crypto device, such as 
MDIO/MDC (LE.E.E. 802.3 PHY interface), S2W (Serial-to-Wire interface), I2C, 
or PCI (Peripheral Component Interface). 

[0056] Referring first to FIG. 6a, an embodiment is disclosed where the 
MDIO/MDC interface 645 of the PHY 605 is utilized to control the crypto 
process. The security information is passed to the PHY using the MDIO/MDC 
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interface, and the PHY then decodes the security information and controls the 
security logic by communicating through the link 630. 

[0057] In this embodiment, the security information may be passed to 
predetermined memory registers in the communications module 610 of the PHY 
605, and then communicated to the security logic 620 using control signals, a 
FIFO, or other techniques known in the art, such as a state machine. 

[0058] In a further embodiment, the communications modules of the PHY 
and security logic may be configured such that only security parameters are 
communicated over the link. 

[0059] Referring now to FIG. 6b, an embodiment is shown where an 
interface 655 is provided that operates using a protocol other than MDIO/MDC. 
This embodiment uses separate interface 655 coupled directly to the 
communications module 625 of the security logic 620. Thus, the crypto 
information is provided directly to the crypto device at the PHY layer. 

[0060] Referring now to FIG. 6c, an embodiment is shown whereby PHY 
logic is incorporated in to the security logic and coupled to the PHY through link 
660, and the MDIO/MDC interface 645 is utilized to control both the PHY 605 
and security logic 620. 

[0061] This embodiment thus provides the MDIO/MDC interface to both 
the PHY and security logic. It is contemplated that in this embodiment, the PHY 
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and the security logic may be configured to read separate areas of the PHY 
register memory space. It is further contemplated that this embodiment is 
especially advantageous for single-chip solutions. 

[0062] Referring now to FIG. 6d, an embodiment is shown where a master 
communications module 670 is provided to interface with link 655. In this 
embodiment, the master communications module 670 is provided to provide 
connectivity using a communications protocol other than the MDIO/MDC 
protocol. 

[0063] The master communications module 670 is then coupled to both the 
PHY and security logic to provide control to each. The master communications 
device 670 may communicate with the PHY 605 and security logic 620 using an 
MDIO/MDC interface. 

[0064] It will be appreciated that the MDIO/MDC interface may be 
optional, and control may be provided through the interface link 655. 

[0065] Referring now to FIG. 6e, an embodiment is provided where 

the MDIO/MDC interface 655 is provided directly to the security logic, and the 
communications module 625 of the security logic 620 provides control signals for 
the PHY 605. The security logic 620 and PHY 605 may communicate using an 
MDIO/MDC interface. It is contemplated that mirror registers may be provided in 
the communications modules of both the PHY and security logic. 
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[0066] In a further embodiment, the communications module of the security 
logic may be configured to interface using a protocol other than the MDIO/MDC 
protocol, and then control the PHY using an MDIO/MDC interface. It is 
contemplated that this embodiment may be useful to control multiple devices 
residing on the same chip. 

[0067] Additionally, the communications modules of the PHY and security 
logic may be configured such that only security parameters are communicated 
over the link. 

[0068] In a further embodiment, the security logic may be configured to 
periodically poll the registers of the PHY and update the contents of the registers 
of the security logic. Additionally, cache memory may be provided to allow the 
PHY to communication through the security device using memory paging 
techniques. 

[0069] While embodiments and applications of this disclosure have been 
shown and described, it would be apparent to those skilled in the art that many 
more modifications and improvements than mentioned above are possible without 
departing from the inventive concepts herein. The disclosure, therefore, is not to 
be restricted except in the spirit of the appended claims. 
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